Veeam's Anomaly Detection for Ransomware
Updated: Mar 29
Veeam's Data Protection Trends report with over 4,000 anonymous companies found that 85% of organizations have experienced some form of ransomware in the last year. Given that a ransomware attack has a far greater chance than a natural disaster, power outage or other DR type event, it's critical that IT organizations plan for quick recoveries as discussed in a previous post.
A crucial component for successful quick recoveries though is identifying the last known good backup. Without this organizations can spend countless hours if not days attempting to restore data that is already corrupted. It was discovered in this same data protection report companies took between one and two weeks to recover their data on average. This is by far more time than recovering from other DR type of events due to the fact that much of the time is spent identifying and scanning for the last known clean backup to restore from.
Veeam has a three tiered approach to helping companies identify the best point-in-time (PIT) to recover from:
Identify suspicious behavior on the actual production VMs (VMware and Hyper-V)
Identify anomalies in the underlying backup files
Automatically scan backup files before restoring machines into production
Identifying Suspicious Behavior on the VMs:
Making sure there is a recoverable backup is just one step, but it is also important to monitor the entire environment for suspicious or unusual activity. Veeam goes beyond just looking at the backup data for anomalies. It looks at the hypervisor and network level as well. These higher-than-normal writes on disk or CPU utilization could be a sign that ransomware infected the machine. The goal of the alarm is to pinpoint the machine that is potentially infected before it can propagate to other systems.
The key to this alarm is the historical view though. This is useful to help identify when ransomware potentially took place and which backups are a good place to start for recovery.
Identifying Anomalies in Backups:
Veeam's Suspicious Backup File Size Analyzer lives up to the name. This alarm identifies patterns in your backup data. It analyzes backups to look for large number of file and block changes to the data. If an anomaly is detected an alert is sent to the system administrators.
This alarm can be easily integrated into the main Veeam console thanks to a brilliant script from Steve Herzig! If an anomaly is detected it will show in the job statistics.
Simply take the script from github and place it in the post-script section of your backup jobs. Specify how many previous PITs you'd like it to analyze in the "Depth" field and what amount of growth would be considered suspicious in the "Growth" field.
These first two steps give the business a good idea which PITs to recover from. Without these steps ransomware is the worst kind of disaster because countless hours or even days are spent manually identifying when to recover from.
Automatically Scan Backups Before Restoring:
Lastly, whether is it proactively or reactively scanning backups for malware, Veeam can scan backup files prior to restoring machines into production. If malware is found you can either abort the recovery or restore without attaching a network for deeper forensics.
Organizations can use any scanning tool that has a CLI. For example, Trend Micro, Bitdefender, Windows Defender, etc. Simply edit the XML file here.
Veeam is on a mission to help customers recover from ransomware. I have personally seen Veeam be the heroes many times for organizations. Veeam believes combining the above steps to identify a clean PIT with the fastest recovery options available in the marketplace is a great recipe to help IT organizations sleep well at night.